Package: cryptmount Version: 6.2.0-1 Severity: normal Tags: bookworm Usertags: pu X-Debbugs-Cc: rwpen...@users.sourceforge.net Control: affects -1 + src:cryptmount
[ Reason ] When cryptmount is passed invalid command-line arguments, it is likely to crash with a SEGV error due to inappropriately zeroed memory passed to getopt_long(). [ Impact ] The absence of error-messages when invalid command-line arguments are supplied affects usability. The use of uninitialized memory with a setuid binary is, potentially, a security risk. [ Tests ] The fix involves a single-line change to replace a call to malloc() with one to calloc(). This has been tested manually on invalid command-line arguments, and the upstream "mudslinger" test-suite has been used for regression tests across a wide range of usage scenarios. [ Risks ] The proposed change has very little risk of side-effects. [ Checklist ] [x] *all* changes are documents in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in bookworm [x] the issue is verified as fixed in unstable [ Changes ] A call to malloc() prior to using getopt_long() has been replaced by a similar call to calloc(). -- System Information: Debian Release: trixie/sid Architecture: amd64 (x86_64) Kernel: Linux 6.3.0-1-amd64 (SMP w/2 CPU threads; PREEMPT) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
File lists identical (after any substitutions) Control files: lines which differ (wdiff format) ------------------------------------------------ Version: [-6.2.0-1-] {+6.2.0-1+deb12u1+}